BASTION

In production operation on BESTNET-CLOUD

BASTION

Closed-Network AI Ops Platform

Local LLM automatically analyzes infrastructure and executes automatic attack defense through dynamic bandwidth quality control.
A dual-axis security and quality module addresses cloud operators’ operational challenges.

Free consultation / Contact us →

// CHALLENGE

Delivering “AI Ops” in areas
where cloud AI cannot reach, within closed networks

AWS DevOps Agent and Azure Security Copilot are powerful, but they cannot reach closed-network environments, on-premises physical equipment, and “operational challenges beyond security.”

🔒

Data Sovereignty Issues

Logs are sent to cloud vendor AI platforms. Cannot be used in closed-network environments for financial institutions, government agencies, and healthcare.

💰

Opacity of Usage-Based Pricing

AWS DevOps Agent charges $0.0083/second on a usage basis. Costs balloon as investigation frequency increases, making budgets unpredictable.

🔌

Operational Challenges Extend Beyond Security

Beyond attack detection, there are many operational challenges to entrust to AI: bandwidth quality, resource optimization, cost management, and more.

// PLATFORM

A platform where two modules
operate in parallel

BASTION is not a single-function product but an AI Ops Platform providing multiple modules. Each module has an independent failure boundary, so one module’s failure does not cascade to another.

In operation

Security Module

From attack detection to automatic defense. A multi-layer correlation engine combines detections from individual devices and visualizes entire attack campaigns. Executes simultaneous defense across multiple systems within 8 seconds of detection.

Multi-layer correlation engine (FW/VPN/authentication/application/endpoint)
Coordinated attack group detection (same subnet and ASN units)
Cascade defense (boundary device + DMZ Agent simultaneous blocking)
Lightweight Agent for DMZ and isolated environments

In operation (observation phase)

Quality Module

Continuous observation of bandwidth usage and dynamic allocation control. Accurate aggregation using virtual platform network identifiers directly, time-based threshold judgment, and weighted allocation implemented. Production deployment proceeds in stages.

VM traffic collection at regular intervals
Threshold judgment by subnet, time zone, and direction
Dynamic rate control with weighted allocation during congestion
Dry-run mode for observation → staged deployment

Future Vision

Operations Automation and Cost Optimization

With platform expansion, operational burden reduction, cost optimization, and customer management integration are planned for sequential addition.

Client portal integration (automatic ticket creation)
Management Console integrated visualization
Resource optimization recommendations

// ARCHITECTURE

Simple configuration, powerful automation

Composed entirely of open source. Operates within customer networks with no log data sent externally.

Local LLM (Qwen2.5-14B), rsyslog, shell scripts, SQLite. Internet connection not required.

// LIVE EVIDENCE

Actually running on our own infrastructure

BASTION operates 24/7 in BESTNET-CLOUD’s production environment. The security module protects 10 devices, and the quality module observes 76 virtual machines.

Security defense target devices

FW/VPN/authentication/application/Agent-type DMZ

Cascade defense simultaneous blocking

Attack detection propagates to all devices in 8 seconds

Quality module observation target VMs

Regular intervals with 99.86% collection success rate

External data transmission

All processing completes within customer networks

Automatic cascade defense activation SECURITY

Attack campaign detection → simultaneous blocking issued to boundary FW, client portal infrastructure, load balancer, and DMZ Agent group within 8 seconds. Physical isolation enforced by OS firewall on each device.

Automatic daily report OPS

Automatically distributed to Slack by severity. Non-CRITICAL items noise-suppressed. Detailed analysis called on-demand by mention.

// SAFETY DESIGN

“Do not rely entirely on AI”
Operational safety design

When introducing automatic control to production infrastructure, handling AI judgment errors and unforeseen situations is essential. BASTION adopts a staged design that clearly separates “human judgment” from “AI implementation.”

Stage A — Current status assessment by AI

AI performs read-only investigation and reporting. Does not output judgment or evaluation. Zero impact to production.

Stage B — Judgment by operators

All judgments—classification, threshold setting, production mode switching—are made by operators. Not delegated to AI.

Stage C — Implementation by AI

AI implements accurately based on operator judgment. Production writes follow “dry-run → limited production → full production” in three stages. Emergency stop command always ready.

Basic principles of AI cooperation

VM classification, network configuration, data structure details, and organization-specific context. These are factual domains only operators understand. BASTION is designed so AI “does not guess but asks for confirmation.” We have systematized 10+ lessons learned in actual operations as “design principles” and reflected them in all new implementations.

// DIFFERENTIATION

Differences from existing solutions

	Cloud AI monitoring (AWS/Azure)	Traditional SIEM/SOAR	BASTION
Data sovereignty	External transmission	Product dependent	Complete closed-network
Billing model	Usage-based	License	Scope-based estimate
Attack campaign detection	○	Fixed rules	Mathematical judgment + coordinated attack grouping
DMZ and isolated environment support	×	Limited	Dedicated Agent + verification engine
Dynamic bandwidth quality control	×	×	○ (Quality module)
Production deployment safety	Vendor dependent	Fixed behavior	Three-stage mode + emergency stop
Adding devices	API integration required	Custom implementation	Syslog connection only

“Mathematical judgment” is based on a proprietary model derived from independent research (IHD/Stigmergic/PRSA) by Hideyuki Chinda (representative). Details are non-public pending patent application, but conceptual level details are gradually disclosed in our tech blog.

// CAPABILITIES

Security and quality capabilities on two axes

🛡 Security Module

Multi-layer correlation campaign detection — Cross-layer analysis of 5 layers. Visualizes attack scenarios invisible to individual devices
Coordinated attack group detection — Unified grasp of organized attacks at same subnet and ASN units
Cascade defense — Single detection propagates to multiple devices simultaneously. Simultaneous boundary device + DMZ Agent blocking
OS-unified blocking method — Unified to firewalld/ufw/iptables. Does not depend on customer environment middleware
DMZ dedicated Agent — WebSocket communication. Agent side minimal privilege with dual-layer protection by verification engine
Automatic device classification — Monitoring begins by directing syslog. Zero registration work
Whitelist protection — Physically prevents accidental blocking of company IPs and partner IPs
24-hour automatic release — Even temporary false positives do not result in permanent blocking

📊 Quality Module

Accurate aggregation based on virtual platform identifiers — VM identification obtained directly from virtual platform network identifiers, eliminating false positives
Judgment by subnet, time zone, and direction — Individual threshold design matched to line characteristics
Dynamic rate control — VM-level control with weighted allocation during congestion
Weight control — Operators can adjust VM-level priority at their discretion
Dry-run default — Operates for observation only; production mode switching is operator decision
Staged production deployment — Careful rollout from single subnet limitation to all subnets
Emergency stop command — Immediate release of all control implemented from the start
Automatic release — Automatically releases control after 15 continuous minutes of congestion resolution

// EXTENSIBILITY

Harness-based hybrid LLM integration
(experimental stage)

Based on local LLM (Qwen2.5-14B), we are building experimental integration capabilities with high-performance external LLM APIs such as Claude and GPT. Through a harness that appropriately selects LLMs by use case, we can address both routine task automation and unexpected issues.

🔄

Routine task automation

Automate periodic reports, inventory, and operational record organization—routine tasks where external LLMs excel. Delegate transcription and structuring while keeping judgment with humans.

🧠

Advanced reasoning during problem occurrence

In complex problems not encountered during normal operations or unexpected failure scenarios difficult for local LLMs, leverage external LLM reasoning power.

⚙️

Harness-based switching control

A harness controls which LLM to use in which scenario. Cost, data sovereignty, and reasoning performance balance can be designed per customer environment.

Note: External LLM integration is experimental. Integration into production operations will be designed per customer alongside data sovereignty requirements. For strict closed-network requirements, we continue to offer configurations using local LLM only.

// TECH BLOG

Technical details publicly available

We believe “whether it can be operated” is the ultimate differentiator and actively disclose design decisions and operational know-how at the conceptual level. Specific customer IP, organizational information, and patent-related formulas remain confidential.

Tech Blog NEW

Automatic infrastructure log analysis with local LLM

Implementation record of local LLM (Qwen2.5-14B + GPUStack) achieving both accuracy and determinism in log analysis.

Tech Blog NEW

How multi-layer correlation campaign detection works

Design that visualizes attack scenarios invisible in single-device logs through cross-layer tracing.

Tech Blog NEW

Lightweight Agent for DMZ and verification engine

Design that “does not trust Agents” in DMZ environments where compromise is possible.

Tech Blog Coming soon

LLM hallucination audit implementation

A mechanism that automatically cross-references fake incidents created by AI against actual machine logs.

// GET STARTED

Start with a consultation

We conduct interviews on target devices and requirements, then provide proposals based on scope.
You can deploy either the security module alone or both modules together.

Free consultation / Contact us →

Setup fee is individual estimate based on scope / Monthly maintenance is optional / All components are OSS / Log data is never sent externally

// CHANGELOG

Revision History

Date	Version	Changes
2026-04-16	v1.0	Initial release. Architecture diagram, 5 Slack screenshots, competitor comparison table, feature list.
2026-04-17	v1.1	Added cross-layer analysis (OPNsense × AD) screenshot to Evidence section. Added HP navigation.
2026-04-21	v2.0	Added automatic device classification and endpoint monitoring to feature list. Added tech blog section with 4 posts.
2026-04-23	v2.1	Added reactive defense (automatic attack source IP blocking, fully automated operation).
2026-04-24	v2.2	Added multi-layer correlation campaign detection. Updated to 8 tech blog posts.
2026-05-10	v2.3	Redefined BASTION as AI Ops Platform. Changed to dual-axis structure: security module + quality module. Reflected coordinated attack group detection, cascade defense, DMZ Agent, and AI cooperation safety design (stages A/B/C, dry-run default). Incorporated figures: 10 security defense devices, 76 quality module observation VMs. Added hybrid LLM integration by harness (experimental stage) section.
2026-05-14	v2.4	Published 3 tech blog articles (multi-layer correlation campaign detection / DMZ Agent and verification engine / local LLM infrastructure log analysis). Updated related links in LP to actual URLs. Added NEW and Coming soon badges.